Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

riomsc, spoolsv, iexplore, and r.exe [CLOSED]


  • This topic is locked This topic is locked

#1
kagome54x

kagome54x

    Member

  • Member
  • PipPip
  • 14 posts
back in january my dad finally gave in and replaced our windows 98 with a windows xp. unfortunately, his friend owns a company and buys computers in bulk. so, its part of his company and some of the settings we have dont work. so i hope i just have all the settings i need to be able to fix this ;).

well just last night my computer got infected. ive been reading the forums for hours trying to get rid of it all. i managed to get rid of some and only had one left. i found the removal instructions for it, went into safe mode, cleared everything out, and rebooted. after rebooting, i've come to find even more junk ;).

ive downloaded a few new programs to help clear everything out but now im stuck with these few things again. i'm not sure where i went wrong or how i came back with new things :help:. here's my log and thanks in advance :tazz:.

Logfile of HijackThis v1.99.1
Scan saved at 6:14:06 PM, on 07/15/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Fidelity\Security Configuration\fconfsvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\RioMSC.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
c:\r.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\DESKTOP\HijackThis.exe

O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.optonline.net
O16 - DPF: 6th Street Omaha Poker by pogo - http://game1.pogo.co...a-ob-assets.cab
O16 - DPF: Canasta by pogo - http://game1.pogo.co...a-ob-assets.cab
O16 - DPF: Checkers by pogo - http://game3.pogo.co...s-ob-assets.cab
O16 - DPF: Cribbage by pogo - http://game1.pogo.co...e-ob-assets.cab
O16 - DPF: Dice Derby by pogo - http://game1.pogo.co...g-ob-assets.cab
O16 - DPF: Dominoes by pogo - http://game1.pogo.co...o-ob-assets.cab
O16 - DPF: High Stakes Pool by pogo - http://game1.pogo.co...l-ob-assets.cab
O16 - DPF: Lottso by pogo - http://game1.pogo.co...o-ob-assets.cab
O16 - DPF: Mah Jong Garden by pogo - http://game1.pogo.co...g-ob-assets.cab
O16 - DPF: Payday FreeCell by pogo - http://game5.pogo.co...l-ob-assets.cab
O16 - DPF: Pop Fu by pogo - http://game1.pogo.co...u-ob-assets.cab
O16 - DPF: Spades by pogo - http://game1.pogo.co...s-ob-assets.cab
O16 - DPF: Spider Solitaire by pogo - http://game1.pogo.co...r-ob-assets.cab
O16 - DPF: Squelchies by pogo - http://game1.pogo.co...s-ob-assets.cab
O16 - DPF: WordJong by pogo - http://game1.pogo.co...g-ob-assets.cab
O16 - DPF: World Class Solitaire by pogo - http://game1.pogo.co...s-ob-assets.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup.../bridge-c18.cab
O20 - AppInit_DLLs: MsgPlusLoader.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2.dll
O21 - SSODL: NTDBGTOOL - {DCF11BCD-C6B9-4BC0-A745-6E81117FA171} - C:\WINDOWS\System32\oembsent.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Fidelity Workstation Configuration Service (Fconfsvc) - Fidelity Investments - C:\Program Files\Fidelity\Security Configuration\fconfsvc.exe
O23 - Service: Machine Debug Manager (MDM) - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe (file missing)
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\System32\RioMSC.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe (file missing)
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\System32\wdfmgr.exe (file missing)

Edited by kagome54x, 15 July 2005 - 09:24 PM.

  • 0

Advertisements


#2
kagome54x

kagome54x

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
oh, and i forgot to mention about the svchost.exe. whenever i reboot, i start up with 5 of them. ive figured out which ones are bad and which ones arent by now so if anyone has a fix to getting rid of the unneeded ones that'd be appreciated also. :tazz:
  • 0

#3
kagome54x

kagome54x

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
well, ive lost my soundcard/driver. i don't know what happened to it, i haven't messed with sound or anything that wasn't obviously malicious. i'm sorry to be so impatient, but i'm worried of what i might lose next. i've also noticed my drivers folder's been modified sometime today. i haven't touched it so i'm not sure what's going on. plus, i don't think we recieved any driver install cds along with the computer so it'd be a mess if we lost everything.
  • 0

#4
kagome54x

kagome54x

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
okay, i've found another problem, this time with my desktop. it's white but when you mouse-over it turns gray. when you right-click, it shows the same options as you would see on any website. ive found its source by going into properties but for some reason it doesn't show up there, as if it were hidden. i have show all hidden files on and still nothing. and of course, i can't change it through control panel -> display because it deleted some tabs. :tazz:

Edited by kagome54x, 15 July 2005 - 09:54 PM.

  • 0

#5
Canoeingkidd

Canoeingkidd

    Malware Expert

  • Retired Staff
  • 148 posts
Hello kagome54x, welcome to Geeks to Go.

RioMSC.exe, iexplore.exe, svchost.exe, and spoolsv.exe are all legitimate and it is usual to have multiple instances of svchost.exe running at one time.

First, I need to know what you have already done and removed. In your first post you said you "cleared everything out". What did you remove?

I also need you to post a new HijackThis log in a reply to this topic as your last one is a little old.
  • 0

#6
kagome54x

kagome54x

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
i was reading a little bit about spoolsv.exe and they say in some cases it's a virus and in others it's just something that involves my printer. thanks for clearing that up though, i feel alittle more relaxed now. :tazz:

okay now about clearing everything out... i'm really sorry but i don't think i remember what it all was. i think i had something called spysheriff and something called oleadm. once again, i'm sorry, i don't remember the rest of it.

thanks for your help! here's my hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 3:11:15 PM, on 07/21/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Fidelity\Security Configuration\fconfsvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: 6th Street Omaha Poker by pogo - http://game1.pogo.co...a-ob-assets.cab
O16 - DPF: Canasta by pogo - http://game1.pogo.co...a-ob-assets.cab
O16 - DPF: Checkers by pogo - http://game3.pogo.co...s-ob-assets.cab
O16 - DPF: Cribbage by pogo - http://game1.pogo.co...e-ob-assets.cab
O16 - DPF: Dice Derby by pogo - http://game1.pogo.co...g-ob-assets.cab
O16 - DPF: Dominoes by pogo - http://game1.pogo.co...o-ob-assets.cab
O16 - DPF: High Stakes Pool by pogo - http://game1.pogo.co...l-ob-assets.cab
O16 - DPF: Lottso by pogo - http://game1.pogo.co...o-ob-assets.cab
O16 - DPF: Mah Jong Garden by pogo - http://game1.pogo.co...g-ob-assets.cab
O16 - DPF: Payday FreeCell by pogo - http://game5.pogo.co...l-ob-assets.cab
O16 - DPF: Pop Fu by pogo - http://game1.pogo.co...u-ob-assets.cab
O16 - DPF: Spades by pogo - http://game1.pogo.co...s-ob-assets.cab
O16 - DPF: Spider Solitaire by pogo - http://game1.pogo.co...r-ob-assets.cab
O16 - DPF: Squelchies by pogo - http://game1.pogo.co...s-ob-assets.cab
O16 - DPF: WordJong by pogo - http://game1.pogo.co...g-ob-assets.cab
O16 - DPF: World Class Solitaire by pogo - http://game1.pogo.co...s-ob-assets.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1121799624203
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Fidelity Workstation Configuration Service (Fconfsvc) - Fidelity Investments - C:\Program Files\Fidelity\Security Configuration\fconfsvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
  • 0

#7
Canoeingkidd

Canoeingkidd

    Malware Expert

  • Retired Staff
  • 148 posts
I'm not sure whats going on here...but if you have already removed items with HijackThis it will be hard for me to figure out what happened. If you haven't then I already know what to do to restore your desktop.

Run HijackThis and click"View the list of backups". If there are any items in the main window select all of them one at a time and click "Restore".

Also check to make sure no items are on Ignorelist. From the backups screen click "Ignorelist" at the top. Click "Delete all".

Check to make sure all items are enabled in MSconfig. Go to "Start" > "Run" and type msconfig then click "OK". If "Normal Startup" is not selected select it, click "OK" and then click "Exit without Restart". This way the malware won't get a chance to start up as long as you do not reboot.

Run HijackThis and post a new log in a reply to this topic. Do not reboot until I post further instructions.
  • 0

#8
kagome54x

kagome54x

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
here we go:

Logfile of HijackThis v1.99.1
Scan saved at 5:28:19 PM, on 07/21/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Fidelity\Security Configuration\fconfsvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [vidctrl] C:\WINDOWS\System32\vidctrl\vidctrl.exe
O4 - HKLM\..\Run: [Uninstall_TBPS] C:\WINDOWS\Temp\TBuninst.exe /remove
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [tgkxkcmz] c:\windows\system32\tgkxkcmz.exe
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\Run: [SystemVBS] C:\WINDOWS\System.VBS
O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [SpySpotter] C:\PROGRA~1\SPYSPO~1\SpySpotter.exe -onreboot
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PSGuard spyware remover] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\System32\picsvr\picsvr.exe
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [Media Gateway] C:\Program Files\Media Gateway\MediaGateway.exe
O4 - HKLM\..\Run: [LockWS] LockWS.exe
O4 - HKLM\..\Run: [l67r9gor] C:\WINDOWS\System32\l67r9gor.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HKCU] C:\WINDOWS\system32\cmd.exe /C Start "HKCU Updates" /MIN "C:\Program Files\current profile updates\hkcu.exe"
O4 - HKLM\..\Run: [ggN1A] C:\WINDOWS\ittcwh.exe
O4 - HKLM\..\Run: [gDc6bmeDG] C:\WINDOWS\taius.exe
O4 - HKLM\..\Run: [gah95on6] C:\WINDOWS\System32\gah95on6.exe
O4 - HKLM\..\Run: [G4sOFG8Y] C:\WINDOWS\sidjo.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [CheckRights] C:\Program Files\Fidelity\Security Configuration\chkrights.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [AeXAgentLogon] "C:\Program Files\Altiris\Altiris Agent\AeXAgentActivate.exe" /logon
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [5s6O33j] tlnipto.exe
O4 - HKLM\..\Run: [301989436aec] C:\WINDOWS\System32\advpack7.exe
O4 - HKLM\..\Run: [0mipec02] C:\Program Files\0mipec02\0mipec02.exe
O4 - HKLM\..\Run: [0edce206addb] C:\WINDOWS\System32\comres94.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Wigaa] C:\WINDOWS\System32\m?iexec.exe
O4 - HKCU\..\Run: [uiiq] C:\PROGRA~1\COMMON~1\uiiq\uiiqm.exe
O4 - HKCU\..\Run: [Tsaa] C:\Program Files\nlao\oaau.exe
O4 - HKCU\..\Run: [Tnshjj] C:\WINDOWS\System32\?hkdsk.exe
O4 - HKCU\..\Run: [sfita] C:\WINDOWS\sfita.exe
O4 - HKCU\..\Run: [KBpERTHsU] ssddm.exe
O4 - HKCU\..\Run: [Gdfxub] C:\WINDOWS\System32\w?auclt.exe
O4 - HKCU\..\Run: [DR_S] C:\Program Files\DR_S\DR_S.exe
O4 - HKCU\..\Run: [dimap] C:\WINDOWS\System32\dimap.exe
O4 - HKCU\..\Run: [Cqcspcau] C:\WINDOWS\System32\??erinit.exe
O4 - HKCU\..\Run: [Bromwi] C:\WINDOWS\System32\w?auclt.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office XP\Office10\OSA.EXE
O4 - Global Startup: SnapDetect.lnk = ?
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.optonline.net
O16 - DPF: 6th Street Omaha Poker by pogo - http://game1.pogo.co...a-ob-assets.cab
O16 - DPF: Canasta by pogo - http://game1.pogo.co...a-ob-assets.cab
O16 - DPF: Checkers by pogo - http://game3.pogo.co...s-ob-assets.cab
O16 - DPF: Cribbage by pogo - http://game1.pogo.co...e-ob-assets.cab
O16 - DPF: Dice Derby by pogo - http://game1.pogo.co...g-ob-assets.cab
O16 - DPF: Dominoes by pogo - http://game1.pogo.co...o-ob-assets.cab
O16 - DPF: High Stakes Pool by pogo - http://game1.pogo.co...l-ob-assets.cab
O16 - DPF: Lottso by pogo - http://game1.pogo.co...o-ob-assets.cab
O16 - DPF: Mah Jong Garden by pogo - http://game1.pogo.co...g-ob-assets.cab
O16 - DPF: Payday FreeCell by pogo - http://game5.pogo.co...l-ob-assets.cab
O16 - DPF: Pop Fu by pogo - http://game1.pogo.co...u-ob-assets.cab
O16 - DPF: Spades by pogo - http://game1.pogo.co...s-ob-assets.cab
O16 - DPF: Spider Solitaire by pogo - http://game1.pogo.co...r-ob-assets.cab
O16 - DPF: Squelchies by pogo - http://game1.pogo.co...s-ob-assets.cab
O16 - DPF: WordJong by pogo - http://game1.pogo.co...g-ob-assets.cab
O16 - DPF: World Class Solitaire by pogo - http://game1.pogo.co...s-ob-assets.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1121799624203
O21 - SSODL: NTDBGTOOL - {DCF11BCD-C6B9-4BC0-A745-6E81117FA171} - C:\WINDOWS\System32\oembsent.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Fidelity Workstation Configuration Service (Fconfsvc) - Fidelity Investments - C:\Program Files\Fidelity\Security Configuration\fconfsvc.exe
O23 - Service: Machine Debug Manager (MDM) - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe (file missing)
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\System32\RioMSC.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe (file missing)
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\System32\wdfmgr.exe (file missing)
  • 0

#9
Canoeingkidd

Canoeingkidd

    Malware Expert

  • Retired Staff
  • 148 posts
If you still have SpySpotter...you should remove it using Add or Remove Programs. It is on the list of Rogue/Suspect AntiSpyware Apps. You should also uninstall Messenger Plus using Add or Remove Programs.

Please run HijackThis, do a scan, and place a check next to the following items to be fixed:

O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [vidctrl] C:\WINDOWS\System32\vidctrl\vidctrl.exe
O4 - HKLM\..\Run: [Uninstall_TBPS] C:\WINDOWS\Temp\TBuninst.exe /remove
O4 - HKLM\..\Run: [tgkxkcmz] c:\windows\system32\tgkxkcmz.exe
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\Run: [SystemVBS] C:\WINDOWS\System.VBS
O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
O4 - HKLM\..\Run: [SpySpotter] C:\PROGRA~1\SPYSPO~1\SpySpotter.exe -onreboot
O4 - HKLM\..\Run: [PSGuard spyware remover] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\System32\picsvr\picsvr.exe
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [Media Gateway] C:\Program Files\Media Gateway\MediaGateway.exe
O4 - HKLM\..\Run: [LockWS] LockWS.exe
O4 - HKLM\..\Run: [l67r9gor] C:\WINDOWS\System32\l67r9gor.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [HKCU] C:\WINDOWS\system32\cmd.exe /C Start "HKCU Updates" /MIN "C:\Program Files\current profile updates\hkcu.exe"
O4 - HKLM\..\Run: [ggN1A] C:\WINDOWS\ittcwh.exe
O4 - HKLM\..\Run: [gDc6bmeDG] C:\WINDOWS\taius.exe
O4 - HKLM\..\Run: [gah95on6] C:\WINDOWS\System32\gah95on6.exe
O4 - HKLM\..\Run: [G4sOFG8Y] C:\WINDOWS\sidjo.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [5s6O33j] tlnipto.exe
O4 - HKLM\..\Run: [301989436aec] C:\WINDOWS\System32\advpack7.exe
O4 - HKLM\..\Run: [0mipec02] C:\Program Files\0mipec02\0mipec02.exe
O4 - HKLM\..\Run: [0edce206addb] C:\WINDOWS\System32\comres94.exe
O4 - HKCU\..\Run: [Wigaa] C:\WINDOWS\System32\m?iexec.exe
O4 - HKCU\..\Run: [uiiq] C:\PROGRA~1\COMMON~1\uiiq\uiiqm.exe
O4 - HKCU\..\Run: [Tsaa] C:\Program Files\nlao\oaau.exe
O4 - HKCU\..\Run: [Tnshjj] C:\WINDOWS\System32\?hkdsk.exe
O4 - HKCU\..\Run: [sfita] C:\WINDOWS\sfita.exe
O4 - HKCU\..\Run: [KBpERTHsU] ssddm.exe
O4 - HKCU\..\Run: [Gdfxub] C:\WINDOWS\System32\w?auclt.exe
O4 - HKCU\..\Run: [DR_S] C:\Program Files\DR_S\DR_S.exe
O4 - HKCU\..\Run: [dimap] C:\WINDOWS\System32\dimap.exe
O4 - HKCU\..\Run: [Cqcspcau] C:\WINDOWS\System32\??erinit.exe
O4 - HKCU\..\Run: [Bromwi] C:\WINDOWS\System32\w?auclt.exe
O21 - SSODL: NTDBGTOOL - {DCF11BCD-C6B9-4BC0-A745-6E81117FA171} - C:\WINDOWS\System32\oembsent.dll


Close all browsers and windows except HijackThis and click "Fix checked".


You may need to configure your computer to show hidden files. See HERE for how to show hidden files.

See if this folder is still on the machine:
C:\Program Files\current profile updates\
If it is zip it and send it HERE.

Download smitRem.zip and save the file to your desktop.
Right click on the file and extract it to it's own folder on the desktop.


Now reboot into Safe mode by tapping the F8 key while your computer starts up and selecting "Safe Mode" from the menu that appears. (You will not be able to access the internet while in Safe mode).

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

Reboot back to normal mode and post a new HijackThis log along with the log from smitRem.

Edit: Also post a log from HijackThis Uninstall Manager.
From the scanning screen, click "Config".
Click "Misc Tools" and then "Open Uninstall Manager".
Click "Save List" and save it.
Post the entire contents of the Notepad window that will open in a reply to this topic.

Edited by Canoeingkidd, 21 July 2005 - 04:44 PM.

  • 0

#10
kagome54x

kagome54x

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Pre-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ system32 ~~~

oleadm.dll


~~~ Windows directory ~~~



~~~ Drive root ~~~



Post-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ system32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Wininet.dll ~~~

Not Infected!


Ad-Aware SE Personal
Adobe Acrobat 5.0
Adobe Reader 6.0
AOL Instant Messenger
Azureus
Broadcom Driver Installer
Championship Bass
CleanUp!
Context Display
DiamondCS TDS-3
DivX Player
EA Network Play System
Easy CD & DVD Creator 6
ewido security suite
EZPhoto Browser
EZPhoto Tools
EZShowtime MMS
EZSuite For Video Chat Kit
EZVideo Chat 2.0
EZVideo Mail
FID-Adobe Reader 6.0
FID-Autodesk 6.0.4.2
FID-Fidelity Secure Profiles 3.0
FID-Fidelity TimeSync Utility NTP 2.0
FID-FlashPlayer 6
FID-Internet Explorer .NET FRAMEWORK FIX 6.0
FID-Internet Explorer 6 SP1
FID-IPTV v3.4 r2.0
FID-Microsoft Dot NET Framework v1.0 SP2 r1.0
FID-Microsoft Dot Net Framework v1.1 r 1.0
FID-Monitor Timeout Utility 1.4
FID-MSCAD 2.3.1
FID-Office XP
FID-ReBootUm 2.0
FID-Sametime Client 3.0 r1.0
FID-ShockWave 8.5
FID-WinZip 8.1 SR-1
HijackThis 1.99.1
hp deskjet 3600
HP Memories Disc
HP Photo and Imaging 2.0 - Deskjet Series
hp print screen utility
HP Software Update
I.E. Host
IE Host R3
IE5 Registration
Intel® Extreme Graphics 2 Driver
Internet Explorer Q832894
IPTV Viewer
J2SE Runtime Environment 5.0 Update 1
LimeWire 4.8.1
LiveUpdate 1.80 (Symantec Corporation)
Macromedia Shockwave Player
MAIET Gunz
Microsoft .NET Framework (English)
Microsoft .NET Framework 1.1
Microsoft AntiSpyware
Microsoft Office XP Professional
Microsoft Windows Journal Viewer
Mozilla Firefox (1.0.4)
MSN Messenger 7.0
MUSICMATCH Jukebox
neXBC 5.0
OIN
OnDVD
PSIBlade Online
QuickTime
Ragnarok Online
Ragnarok Online
Ragnarok Online
Ragnarok Online Sakray
Ragnarok Sakray
Ragnarok Sakray Pack
Rio Music Manager
RTC Client API v1.2
Sametime Client v3.0
Security Task Manager 1.6f
Select CashBack
Shockwave
SoundMAX
Spybot - Search & Destroy 1.3
Symantec AntiVirus Client
URL Display
USB PC Camera
Viewpoint Manager (Remove Only)
Viewpoint Media Player
WinAce Archiver
Winamp (remove only)
Windows Media Format Runtime
Windows Media Player 10
WinPcap 3.1 beta4
WinZip
Yahoo! Messenger
  • 0

Advertisements


#11
Canoeingkidd

Canoeingkidd

    Malware Expert

  • Retired Staff
  • 148 posts
Go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present. Is your desktop back to normal?


If your version of Ad-aware is not Ad-aware SE 1.06 can you please download Ad-aware SE Personal and install it.
  • Before scanning with Ad-aware SE Personal:
  • Update
  • Select Check for updates.
  • Then Connect and download the latest reference file.
[*]Run a FULL Ad-aware scan using the following configuration below
  • Click Scan now.
  • Select Perform full system scan and hit Next to let Ad-Aware scan your drives.
  • Allow it to scan.
  • Once it is finished, click Next.
  • Under the Critical Objects tab, rightclick in the list, choose Select All.
  • Close all browsers and windows except Ad-aware and click Next.
  • It will ask for verification of checked items. Choose OK.
  • Once it has removed the entries close Ad-Aware.
[/list]Install and scan with Ewido trojan scanner:
  • If your version of ewido security suite is not the latest (v3.5) please download the free trial version of Ewido trojan scanner.
  • Install ewido security suite.
    • When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  • To launch ewido double-click the icon on your desktop.
  • The program will now go to the main screen.
  • You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Click on Start update.
    • The update will start and a progress bar will show the updates being installed.
  • Once the updates are installed scan with Ewido:
    • Click on scanner.
    • Click Complete System Scan.
    • Let the program scan the machine.
    • When it finds a bad file, it will ask you what you want to do with it. You must make a selection before you continue scanning.
      • Ewido has been detecting false positives lately, so do not select "Perform action with all infections".
      • Unless it is a file you know to be legitimate, select remove and click OK.
      • If you know the file is legitimate, select none and click OK.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report.
    • Click Save report.
    • Save the report to your desktop.
Please do an online scan with Kaspersky WebScanner. It only works in Internet Explorer.

Next Click on Launch Kaspersky Anti-Virus Web Scanner.

You will be promted to install an ActiveX component from Kaspersky, accept it.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT.
  • Now click on Scan Settings.
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Standard
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
    • Save the file to your desktop.
    • Copy and paste the entire contents of that text file into your next reply.
Post a new HijackThis log in a reply to this topic along with the Kaspersky log and Ewido log. Also post a new log from the Uninstall Manager.

Edited by Canoeingkidd, 21 July 2005 - 07:48 PM.

  • 0

#12
Canoeingkidd

Canoeingkidd

    Malware Expert

  • Retired Staff
  • 148 posts
Is the company this computer came from "Fidelity Investments" or something related to that? Some software from them seems to still be installed on this computer....do you need it?
  • 0

#13
kagome54x

kagome54x

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Logfile of HijackThis v1.99.1
Scan saved at 2:13:09 AM, on 07/22/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Fidelity\Security Configuration\fconfsvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\RioMSC.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.optonline.net
O16 - DPF: 6th Street Omaha Poker by pogo - http://game1.pogo.co...a-ob-assets.cab
O16 - DPF: Canasta by pogo - http://game1.pogo.co...a-ob-assets.cab
O16 - DPF: Checkers by pogo - http://game3.pogo.co...s-ob-assets.cab
O16 - DPF: Cribbage by pogo - http://game1.pogo.co...e-ob-assets.cab
O16 - DPF: Dice Derby by pogo - http://game1.pogo.co...g-ob-assets.cab
O16 - DPF: Dominoes by pogo - http://game1.pogo.co...o-ob-assets.cab
O16 - DPF: High Stakes Pool by pogo - http://game1.pogo.co...l-ob-assets.cab
O16 - DPF: Lottso by pogo - http://game1.pogo.co...o-ob-assets.cab
O16 - DPF: Mah Jong Garden by pogo - http://game1.pogo.co...g-ob-assets.cab
O16 - DPF: Payday FreeCell by pogo - http://game5.pogo.co...l-ob-assets.cab
O16 - DPF: Pop Fu by pogo - http://game1.pogo.co...u-ob-assets.cab
O16 - DPF: Spades by pogo - http://game1.pogo.co...s-ob-assets.cab
O16 - DPF: Spider Solitaire by pogo - http://game1.pogo.co...r-ob-assets.cab
O16 - DPF: Squelchies by pogo - http://game1.pogo.co...s-ob-assets.cab
O16 - DPF: WordJong by pogo - http://game1.pogo.co...g-ob-assets.cab
O16 - DPF: World Class Solitaire by pogo - http://game1.pogo.co...s-ob-assets.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1121799624203
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Fidelity Workstation Configuration Service (Fconfsvc) - Fidelity Investments - C:\Program Files\Fidelity\Security Configuration\fconfsvc.exe
O23 - Service: Machine Debug Manager (MDM) - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe (file missing)
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\System32\RioMSC.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe (file missing)
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\System32\wdfmgr.exe (file missing)

------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

-------------------------------------------------------------------------------
KASPERSKY ANTI-VIRUS WEB SCANNER REPORT
Friday, July 22, 2005 02:09:46
Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
Kaspersky Anti-Virus Web Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 22/07/2005
Kaspersky Anti-Virus database records: 131489
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 84733
Number of viruses found: 13
Number of infected objects: 53
Number of suspicious objects: 0
Duration of the scan process: 4074 sec

Infected Object Name - Virus Name
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ax551sbt.default\Cache(2)\9E7D35ADd01 Infected: Trojan.Win32.Dialer.ht
C:\Documents and Settings\Administrator\My Documents\Sounds\x-files sound bytes\xfilepur.exe/WISE0021.BIN Infected: Trojan-Downloader.Win32.Agent.er
C:\Documents and Settings\Administrator\My Documents\Sounds\x-files sound bytes\xfilepur.exe Infected: Trojan-Downloader.Win32.Agent.er
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\00A00000.VBN Infected: Trojan-Downloader.VBS.Iwill.g
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\00A00001.VBN Infected: Virus.Win32.Nsag.a
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\00A80000.VBN Infected: Virus.Win32.Nsag.a
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\00AC0000.VBN Infected: Virus.Win32.Nsag.a
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\00D40000.VBN Infected: Virus.Win32.Nsag.a
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\00E00000.VBN Infected: Virus.Win32.Nsag.a
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\01700000.VBN Infected: Virus.Win32.Nsag.a
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\05DC0000.VBN Infected: Virus.Win32.Nsag.a
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\05DC0001.VBN Infected: Trojan-Downloader.VBS.Iwill.g
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\05E00000.VBN Infected: Virus.Win32.Nsag.a
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\05E80000.VBN Infected: Virus.Win32.Nsag.a
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\05EC0000.VBN Infected: Virus.Win32.Nsag.a
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\05F00000.VBN Infected: Virus.Win32.Nsag.a
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\05F80000.VBN Infected: Virus.Win32.Nsag.a
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\05F80001.VBN Infected: Virus.Win32.Nsag.a
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\06000000.VBN Infected: Virus.Win32.Nsag.a
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07940000.VBN Infected: Virus.Win32.Nsag.a
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07980000.VBN Infected: Virus.Win32.Nsag.a
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\079C0000.VBN Infected: Virus.Win32.Nsag.a
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07A80000.VBN Infected: Trojan-Downloader.VBS.Iwill.g
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07B00000.VBN Infected: Trojan-Downloader.VBS.Iwill.g
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07B40000.VBN Infected: Virus.Win32.Nsag.a
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07BC0000.VBN Infected: Virus.Win32.Nsag.a
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07C40000.VBN Infected: Virus.Win32.Nsag.a
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07C40001.VBN Infected: Virus.Win32.Nsag.a
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07F40000.VBN Infected: Virus.Win32.Nsag.a
C:\Downloads\kinwinte.exe/WISE0019.BIN Infected: Backdoor.Win32.Ruledor.c
C:\Downloads\kinwinte.exe/WISE0020.BIN Infected: Trojan-Dropper.Win32.Mudrop.o
C:\Downloads\kinwinte.exe Infected: Trojan-Dropper.Win32.Mudrop.o
C:\Downloads\xfuture.exe/WISE0019.BIN/EXE-file/data0001/EXE-file Infected: Trojan-Downloader.Win32.Agent.ic
C:\Downloads\xfuture.exe/WISE0019.BIN/EXE-file/data0001/EXE-file Infected: Trojan-Downloader.Win32.Agent.gn
C:\Downloads\xfuture.exe/WISE0019.BIN/EXE-file/data0001 Infected: Trojan-Downloader.Win32.Agent.gn
C:\Downloads\xfuture.exe/WISE0019.BIN/EXE-file Infected: Trojan-Downloader.Win32.Agent.gn
C:\Downloads\xfuture.exe/WISE0019.BIN Infected: Trojan-Downloader.Win32.Agent.gn
C:\Downloads\xfuture.exe/WISE0020.BIN Infected: Trojan-Downloader.Win32.Agent.er
C:\Downloads\xfuture.exe Infected: Trojan-Downloader.Win32.Agent.er
C:\Program Files\nlao\oaau.exe Infected: Trojan-Downloader.Win32.PurityScan.w
C:\WINDOWS\system32\eudctrac.dll Infected: Virus.Win32.Bayan-based
C:\WINDOWS\system32\exe2saps.dll Infected: Backdoor.Win32.PPdoor.d
C:\WINDOWS\system32\kb16ogon.dll Infected: Virus.Win32.Bayan-based
C:\WINDOWS\system32\ltim0081.dll Infected: Backdoor.Win32.PPdoor.d
C:\WINDOWS\system32\mpg2dmat.dll Infected: Virus.Win32.Bayan-based
C:\WINDOWS\system32\noistify.dll Infected: Virus.Win32.Bayan-based
C:\WINDOWS\system32\oembsent.dll Infected: Backdoor.Win32.PPdoor.d
C:\WINDOWS\system32\prnchell.dll Infected: Virus.Win32.Bayan-based
C:\WINDOWS\system32\stsheros.dll Infected: Virus.Win32.Bayan-based
C:\WINDOWS\system32\txfdb32.dll Infected: Trojan.Win32.TopAntiSpyware.i
C:\WINDOWS\system32\vbscapi7.dll Infected: Backdoor.Win32.PPdoor.d
C:\WINDOWS\system32\vbsys2.dll Infected: Trojan-Clicker.Win32.Agent.ac
C:\WINDOWS\system32\wmisinv.dll Infected: Virus.Win32.Bayan-based

Scan process completed.

------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 1:42:23 AM, 07/22/2005
+ Report-Checksum: 627286C5

+ Scan result:

:mozilla.28:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ax551sbt.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.62:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ax551sbt.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.63:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ax551sbt.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.64:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ax551sbt.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.65:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ax551sbt.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.66:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ax551sbt.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.67:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ax551sbt.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.68:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ax551sbt.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.69:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ax551sbt.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.70:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ax551sbt.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.71:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ax551sbt.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.72:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ax551sbt.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.73:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ax551sbt.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.74:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ax551sbt.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.75:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ax551sbt.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.76:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ax551sbt.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.77:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ax551sbt.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.78:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ax551sbt.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.79:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ax551sbt.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.80:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ax551sbt.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.81:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ax551sbt.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.82:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ax551sbt.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.83:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ax551sbt.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.84:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ax551sbt.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.85:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ax551sbt.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.86:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ax551sbt.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.87:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ax551sbt.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.88:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ax551sbt.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.89:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ax551sbt.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.90:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ax551sbt.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.91:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ax551sbt.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.92:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ax551sbt.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.93:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ax551sbt.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.94:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ax551sbt.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.95:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ax551sbt.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.96:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ax551sbt.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.97:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ax551sbt.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.98:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ax551sbt.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.99:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ax551sbt.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.100:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ax551sbt.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.101:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ax551sbt.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.102:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ax551sbt.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.103:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ax551sbt.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.104:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ax551sbt.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.105:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ax551sbt.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.106:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ax551sbt.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.107:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ax551sbt.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.108:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ax551sbt.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.109:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ax551sbt.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.110:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ax551sbt.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.116:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ax551sbt.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.117:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ax551sbt.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.118:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ax551sbt.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.119:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ax551sbt.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.129:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ax551sbt.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.132:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ax551sbt.default\cookies.txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
:mozilla.133:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ax551sbt.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.134:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ax551sbt.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.146:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ax551sbt.default\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
:mozilla.147:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ax551sbt.default\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
:mozilla.187:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ax551sbt.default\cookies.txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
:mozilla.202:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ax551sbt.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.220:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ax551sbt.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.221:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ax551sbt.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.222:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ax551sbt.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.223:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ax551sbt.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.224:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ax551sbt.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.225:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ax551sbt.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.226:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ax551sbt.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.227:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ax551sbt.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.228:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ax551sbt.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.229:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ax551sbt.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.230:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ax551sbt.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.287:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ax551sbt.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.290:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ax551sbt.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.291:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ax551sbt.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.292:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ax551sbt.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.293:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ax551sbt.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.297:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ax551sbt.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.336:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ax551sbt.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.337:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ax551sbt.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.341:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ax551sbt.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.343:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ax551sbt.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.345:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ax551sbt.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.367:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ax551sbt.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.424:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ax551sbt.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.427:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ax551sbt.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.454:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ax551sbt.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.463:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ax551sbt.default\cookies.txt -> Spyware.Cookie.Valuead : Cleaned with backup
:mozilla.464:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ax551sbt.default\cookies.txt -> Spyware.Cookie.Valuead : Cleaned with backup
:mozilla.465:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ax551sbt.default\cookies.txt -> Spyware.Cookie.Valuead : Cleaned with backup
:mozilla.466:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ax551sbt.default\cookies.txt -> Spyware.Cookie.Valuead : Cleaned with backup
:mozilla.498:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ax551sbt.default\cookies.txt -> Spyware.Cookie.Coremetrics : Cleaned with backup
:mozilla.506:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ax551sbt.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Administrator\Desktop\Cleaners\Backups\backup-20050715-163525-827.dll -> Spyware.MediaTickets : Cleaned with backup
C:\System Volume Information\_restore{B727505B-DE4A-491C-87E4-491A69DD4A70}\RP3\A0000144.dll -> Trojan.Agent.eo : Cleaned with backup


::Report End
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Ad-Aware SE Personal
Adobe Acrobat 5.0
Adobe Reader 6.0
AOL Instant Messenger
Azureus
Broadcom Driver Installer
Championship Bass
CleanUp!
Context Display
DiamondCS TDS-3
DivX Player
EA Network Play System
Easy CD & DVD Creator 6
ewido security suite
EZPhoto Browser
EZPhoto Tools
EZShowtime MMS
EZSuite For Video Chat Kit
EZVideo Chat 2.0
EZVideo Mail
FID-Adobe Reader 6.0
FID-Autodesk 6.0.4.2
FID-Fidelity Secure Profiles 3.0
FID-Fidelity TimeSync Utility NTP 2.0
FID-FlashPlayer 6
FID-Internet Explorer .NET FRAMEWORK FIX 6.0
FID-Internet Explorer 6 SP1
FID-IPTV v3.4 r2.0
FID-Microsoft Dot NET Framework v1.0 SP2 r1.0
FID-Microsoft Dot Net Framework v1.1 r 1.0
FID-Monitor Timeout Utility 1.4
FID-MSCAD 2.3.1
FID-Office XP
FID-ReBootUm 2.0
FID-Sametime Client 3.0 r1.0
FID-ShockWave 8.5
FID-WinZip 8.1 SR-1
HijackThis 1.99.1
hp deskjet 3600
HP Memories Disc
HP Photo and Imaging 2.0 - Deskjet Series
hp print screen utility
HP Software Update
I.E. Host
IE Host R3
IE5 Registration
Intel® Extreme Graphics 2 Driver
Internet Explorer Q832894
IPTV Viewer
J2SE Runtime Environment 5.0 Update 1
Kaspersky Anti-Virus Web Scanner
LimeWire 4.8.1
LiveUpdate 1.80 (Symantec Corporation)
Macromedia Shockwave Player
MAIET Gunz
Microsoft .NET Framework (English)
Microsoft .NET Framework 1.1
Microsoft AntiSpyware
Microsoft Office XP Professional
Microsoft Windows Journal Viewer
Mozilla Firefox (1.0.4)
MSN Messenger 7.0
MUSICMATCH Jukebox
neXBC 5.0
OIN
OnDVD
PSIBlade Online
QuickTime
Ragnarok Online
Ragnarok Online
Ragnarok Online
Ragnarok Online Sakray
Ragnarok Sakray
Ragnarok Sakray Pack
Rio Music Manager
RTC Client API v1.2
Sametime Client v3.0
Security Task Manager 1.6f
Select CashBack
Shockwave
SoundMAX
Spybot - Search & Destroy 1.3
Symantec AntiVirus Client
URL Display
USB PC Camera
Viewpoint Manager (Remove Only)
Viewpoint Media Player
WinAce Archiver
Winamp (remove only)
Windows Media Format Runtime
Windows Media Player 10
WinPcap 3.1 beta4
WinZip
Yahoo! Messenger

------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

yes, the company it came from is called fidelity investments. we were even given a login name and a password to sign in from but i'm not sure if we really need the software. we're not part of the company but i've always been scared to even delete the company accounts in case of messing up anything. maybe you know if they're important or not? oh and yes, the desktop is back to normal now. i can change the appearance to xp style now (which we couldnt do from the beginning), but i can only do it for this account. if i log off and try to change my user settings i can't again. do you happen to know a fix for this too? :tazz:

Edited by kagome54x, 22 July 2005 - 12:32 AM.

  • 0

#14
Canoeingkidd

Canoeingkidd

    Malware Expert

  • Retired Staff
  • 148 posts

yes, the company it came from is called fidelity investments. we were even given a login name and a password to sign in from but i'm not sure if we really need the software. we're not part of the company but i've always been scared to even delete the company accounts in case of messing up anything. maybe you know if they're important or not?

I'm not sure what this software even does...ask the person you got it from if you need it...

oh and yes, the desktop is back to normal now. i can change the appearance to xp style now (which we couldnt do from the beginning), but i can only do it for this account. if i log off and try to change my user settings i can't again. do you happen to know a fix for this too?

I think I get what you are saying...you mean that there are other XP accounts on this computer? If thats the case please post HijackThis logs from the other accounts in a reply to this topic.


Download Pocket KillBox from http://www.downloads...org/KillBox.zip
Unzip it to your desktop.
There should now be a KillBox.exe on your desktop.

Run Killbox:
  • Double-click KillBox.exe to start KillBox.
  • Select the "Standard File Kill" option.
  • Copy all of the following files files at once:

    C:\Downloads\kinwinte.exe
    C:\Program Files\nlao
    C:\WINDOWS\system32\eudctrac.dll
    C:\WINDOWS\system32\exe2saps.dll
    C:\WINDOWS\system32\kb16ogon.dll
    C:\WINDOWS\system32\ltim0081.dll
    C:\WINDOWS\system32\mpg2dmat.dll
    C:\WINDOWS\system32\noistify.dll
    C:\WINDOWS\system32\oembsent.dll
    C:\WINDOWS\system32\prnchell.dll
    C:\WINDOWS\system32\stsheros.dll
    C:\WINDOWS\system32\txfdb32.dll
    C:\WINDOWS\system32\vbscapi7.dll
    C:\WINDOWS\system32\vbsys2.dll
    C:\WINDOWS\system32\wmisinv.dll
    C:\PROGRA~1\COMMON~1\WinTools
    C:\WINDOWS\System32\vidctrl
    C:\WINDOWS\Temp\TBuninst.exe
    c:\windows\system32\tgkxkcmz.exe
    C:\PROGRA~1\Toolbar
    C:\WINDOWS\System.VBS
    C:\Program Files\SurfAccuracy
    C:\PROGRA~1\SPYSPO~1
    C:\Program Files\PSGuard
    C:\WINDOWS\System32\picsvr
    C:\WINDOWS\System32\nsvsvc
    C:\Program Files\Media Gateway
    C:\WINDOWS\System32\l67r9gor.exe
    C:\Program Files\ISTsvc
    C:\Program Files\Internet Optimizer
    C:\WINDOWS\ittcwh.exe
    C:\WINDOWS\taius.exe
    C:\WINDOWS\System32\gah95on6.exe
    C:\WINDOWS\sidjo.exe
    C:\Program Files\BullsEye Network
    C:\WINDOWS\System32\advpack7.exe
    C:\Program Files\0mipec02
    C:\WINDOWS\System32\comres94.exe
    C:\PROGRA~1\COMMON~1\uiiq
    C:\WINDOWS\sfita.exe
    C:\Program Files\DR_S
    C:\WINDOWS\System32\dimap.exe
    C:\WINDOWS\System32\oembsent.dll


  • In Killbox go to "File" > "Paste from Clipboard."
  • Click the red button with a white X on it.
  • At the prompt entitled "Confirm Delete" select yes.
  • At the prompt entitled "Success" click OK.
  • Continue steps 5-7 until all the files are deleted.
  • Close Killbox.
Delete this file and folder unless you know what they are:
C:\Downloads\xfuture.exe
C:\Documents and Settings\Administrator\My Documents\Sounds\x-files sound bytes\


Also, all of the following HijackThis entries are legitimate...so why did you remove them again? I have bolded the ones I think you should restore, the rest are unnecessary.

O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [CheckRights] C:\Program Files\Fidelity\Security Configuration\chkrights.exe
O4 - HKLM\..\Run: [AeXAgentLogon] "C:\Program Files\Altiris\Altiris Agent\AeXAgentActivate.exe" /logon
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office XP\Office10\OSA.EXE
O4 - Global Startup: SnapDetect.lnk = ?
  • 0

#15
kagome54x

kagome54x

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
okay, i talked to my dad. apparently, some problems came up with the guy who owns the company and bought us the computer so i don't think he's willing to help us. would it be possible to purchase windows xp home edition, install that, and rewrite everything so nothing involving this company would be on it?

also, with the other accounts, i can't figure out the login names. this goes along with all our other settings being messed up. when you go to logon the computer, there's no pretty blue screen showing all the accounts with their icons and names. there's just a windows 98 style screen where you have to type in the login name and password. i still don't understand why our settings are like this, could it be that software from the company?

sorry for asking so many other questions, i'd just really like if we can get the computer to how it's supposed to be, i think it wishes it was windows 98. :tazz:

i ran killbox, deleted everything you said except for a few. there were several things that said they were already deleted. also, C:\Program Files\nlao and C:\Program Files\0mipec02 couldn't be deleted.

also, i'm sorry for deleting some legitimate things. i just got really worried when my soundcard wasn't working and my drivers folder had been modified so i deleted everything i didn't know about. bad mistake, sorry again.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP